We process the personal data of our users only to the extent necessary to provide a functioning website as well as our content and services, and we only process it with their consent or where the processing of personal data is permitted by legal regulations.

The information required by the GDPR on the purpose, type/scope, legal basis, storage period etc. can be found in the following drop-down menus.

Further information on data protection, privacy and information security at Carl von Ossietzky University Oldenburg can also be found under Data Protection and Information Security.

Purpose: Required for proper provision of services/ensuring information security (e.g. identification of DoS attacks)

Type/Scope:

• Web browser type and version
• Operating system
• Website from which you are visiting us (referrer URL)
• Website you are visiting
• Date and time of access
• Your Internet Protocol (IP) address

Legal basis: Art. 6 (1)(e) GDPR in connection with Section of  the 3 Lower Saxony Data Protection Act (NDSG) and Section 3 of the Lower Saxony Higher Education Act (NHG)

Retention period: (up to) seven days

Purpose: Recognizing multiple use of our services by the same user or Internet connection holder. Optimisation of the offerings and facilitation of easier access to the websites of the Controller.

Type/scope: Cookies are small text files that your Web browser stores on your computer. Users are recognised based on the IP address stored in the cookies.

The following data is stored and transmitted in the cookies:

• Preferred font size
• Preferred contrast
• Logged on to the system (only for editing/administration)
• Expiry date

Legal basis: Art. 6 (1)(e) GDPR in conjunction with Section 3 NDSG and Section 3 NHG

Retention period: “Session cookies”, which are deleted after the end of your visit.

Note: You can prevent the installation of cookies by modifying your browser settings accordingly. However, users should be aware that they may not be able to make full use of all features of this website in this case.

When your personal data is processed, you are a data subject within the meaning of the GDPR and are as such entitled to the following rights vis-à-vis the Controller. To exercise your rights, please contact the relevant department (see above for contact details), unless another contact person is expressly indicated.

You can ask the Controller to provide confirmation as to whether it processes personal information regarding you.

If this is the case, you can ask the Controller to provide information on the following data that has actually been processed, and more.

1. The purposes for which the personal data is processed;
2. The categories of personal data processed;
3. The recipients or categories of recipients to which the information about you has been or will be disclosed;
4. The planned duration for which the personal data concerning you are stored or, if no specific information can be provided, criteria for determining the duration of the storage;
5. The existence of the right to request from the Controller rectification or erasure of personal data relating to you, a right to a restriction of processing of personal data relating to you or to object to such processing;
6. The right to lodge a complaint with a supervisory authority;
7. All information available on the origin of the data if the personal data are not collected from the data subject.

You are entitled to request information as to whether the personal data concerning you will be transferred to a third country or to an international organisation. In this context, you can request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.

You have the right to have your personal data corrected and/or completed by the Controller if they are incorrect or incomplete. The Controller must carry out the rectification immediately.

Under the following conditions, you may request that the processing of your personal data should be restricted:

1. If you dispute the accuracy of the personal data concerning you for a period of time which allows the Controller to verify the accuracy of the personal data;
2. The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
3. The Controller no longer needs the personal data for the purposes of the processing, but you require them for establishing, exercising or defending legal claims;
4. If you have lodged an objection against the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the Controller’s legitimate reasons outweigh your reasons.

Where processing of the personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of the processing has been restricted in accordance with the above conditions, you will be informed by the Controller before the restriction is lifted.

Obligation to delete

You have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. The personal data relating to you is no longer necessary for the purposes for which it was collected or otherwise processed;
2. You withdraw your consent on which the processing was based according to Art. 6 (1)(a) or Art. 9 (2)(a), and there is no other legal ground for the processing;
3. You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
4. The personal data concerning you have been unlawfully processed;
5. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
6. The personal data relating to you have been collected in relation to the offer of information society services referred to in Article 8 (1).

Information to third parties

Where the Controller has published the personal data concerning you and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform those responsible for processing the personal data that you as the data subject have requested the deletion of any links to, or copy or replication of, those personal data.

Exceptions

The right to deletion does not exist if the processing is necessary

1. for exercising the right of freedom of expression and information;
2. for complying with a legal obligation requiring processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health in accordance with Article 9 (2) (h) and (i) as well as Article 9 (3);
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. for the establishment, exercise or defence of legal claims.

If you have exercised the right to rectification, deletion or restriction of processing vis-a-vis the Controller, the Controller shall be obliged to notify all recipients to whom the personal data related to you have been disclosed of this rectification, deletion or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You shall have the right vis-à-vis the person responsible to be informed of such recipients.

You have the right to object, on grounds relating to your particular situation, at any time, to any processing of personal data concerning you which is based on Article 6 (1)(e) or (f) of the GDPR, including profiling based on those provisions.

The Controller shall no longer process any personal data concerning you unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims, or the processing serves to assert, exercise or defend legal claims.

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

You have the right to receive the personal data concerning you that you have provided to the Controller in a structured, common and machine-readable format. You are also entitled to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:

1. the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b); and
2. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data transmitted directly from one Controller to another, where technically feasible. Freedoms and rights of other persons must not be affected by this.

The right to data transfer does not apply to processing of personal data required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

None.

Without prejudice to any other administrative or judicial remedy, you are entitled to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

We recommend that you contact the Controller’s official data protection officer (see contact details above), who is able to act independently and will work for a prompt solution to many data protection problems.

The supervisory authority responsible for the Carl von Ossietzky University of Oldenburg is:

The State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5 
30159 Hannover

Telephone: 0511 120-4500
Telefax: 0511 120-4599
Email: poststelle@lfd.niedersachsen.de